Scan to E-Mail newer MFP Pro printers SMTP/Certificate valid... - HP Support Community

streamlan · ‎09-28-2024

The newer HP MFP Pro Printers seem to have trouble with TLS certificate validation. I have a HP LaserJet Pro MFP M426fdw which I'm using scan to e-mail successfully with TLS enabled. The printer contacts the mail server on Port 465 for encrypted SMTP and everything works.

The newer MFP pro's with the new web interface do not work with these settings. When I configure a HP LaserJet Pro MFP 4101 fdn with the same settings that work with the M426fdw, I get a generic "System failure" message when I apply and test with an e-mail from the SMTP server settings.

When I configure the newer MFP Pro printers to NOT use TLS on port 465 and say use port 587, I get a certificate validation error.

No amount of changing port settings, validation tics, or different SMTP settings can get these newer MFP pro's to scan to e-mail.

Our mail host uses Lets Encrypt to encrypt it's mail, so I even added Let's Encrypt's root server certificates to the printer under the Certficate's page, to no avail.

Our mail server uses a subordinate of Lets Encrypt's ISRG Root X1 certificate which can be downloaded here:

https://letsencrypt.org/certificates/

I've added all of the Root and Subordinates to the printer as well, and I still can't scan to e-mail.

I'd really like to know how to get these printers to work with our mail host. I do see the printer conversing with the mail server via packet capture, but when they get to the certificate exchange is where the whole thing goes belly up.

I'd really like to know how to get extended troubleshooting information from the printer, is there some debug log or extended logging facility which can be enabled to see where exactly this process is failing?

We have a handful of these printers and we'd really like to get them working with our infrastructure!

Thank you!

Repairatrooper · ‎09-28-2024

Port 587 is the modern accepted port to be used. Not all mail services support 465 anymore.

If you find the information provided useful or solves your problems, help other users find the solution easier by marking my post as an accepted solution. Clicking "yes" on "was this reply helpful" also increases the chances that this solution will help others.
I am a volunteer, offering my knowledge to support fellow users, I do not work for HP nor speak for HP.

streamlan · ‎09-29-2024

Gotcha, I was able to use port 465 on the older MFP in the past which is why I stuck with it on the new MFP.

I've updated the outbound SMTP credentials and configured it to use port 587, and now it tells me my credentials are invalid.

I'm literally logging into the web mail interface of the same mail account, but when I enter these credentials into the MFP somehow it's like what I input into the fields is being changed, I'm not sure if it's some sort of web form validation, a hidden field limit, or what. But I've triple checked my username and password, but when I enter these into the MFP it constantly comes back and tells me the credentials are invalid.

I reached out to my hosting provider, and they were able to look at the logs and indeed see that connects are failing due to a credential failure, since I can't watch the conversation via packet capture because TLS gets in the way.

I'm at my wits end, I've never bumped into anything like this, I've reverted back to a simple 10 character password with no special characters and I can't have the printer authenticate successfully and send email.

I've enabled syslogging on the printer but it doesn't seem to log anything other than printer/system events it doesn't mention anything about SMTP connects.

Any ideas would be helpful,

Thanks.

ElsVK · ‎10-09-2024

Hi Streamian, did you find ou how to solve this issue? I have exactly the same issue, scan to email stopped working from one day to another. I have also tried the different ports but get the message that my credentials are invalid (they are correct).

streamlan · ‎10-10-2024

Hey ElsVK,

I opened a ticket with my ISP, and they kindly troubleshot with me. They found that the printer was authenticating with an older credential mechanism, when they enabled CRAM-MD5 on their SMTP server, the printer then authenticated successfully. However even with the Lets Encrypt Root certificates installed into the printer I get this error:

I opened a case with HP, the technician kindly stated he'd forward on my findings, I painstakingly documented the situation and explained the situation as best I could, he then forwarded it off to the Printer Team, and they replied that they received no information about the issue hah!, so I'm going to try and re-shake this tree again.

Trouble is I get side tracked with other problems and I have to come back to this and remember all of the specifics about this issue.

Printers with the older web interface like the HP LaserJet MFP Pro M426fdw work fine, I think there is some sort of bug in the SMTP clients of these newer printers. They all tell me to test with Yahoo or G-Mail accounts, so the SMTP clients deal well with those, but when they bump into a postfix or qmail SMTP server they don't do so well.

I'll let you know if HP Support ever gets back to me on that open ticket.

ElsVK · ‎10-10-2024

Hi StreamIan, thank you so much for your detailed reply. I have establised that (at least on my side) the issue is related to Microsoft requiring STARTTLS (related to requiring MFA, I don't know?) whereas the HP settings only have TLS/SSL.

I have changed the email address from where the printers sends the scans to mail to a non-Microsoft address and it works like a charm. Good luck with the fix on your side!

streamlan · ‎10-10-2024

Heya ElsVK,

Here's what my hosting provider said about the SMTP auth failing from the new HP LaserJet Pro MFP 4101 trying to authenticate:

Hello,

The use of CRAM-MD5 was an educated guess based on prior experience; in fact the use of the CRAM-MD5 encrypted password is just recorded as an incorrect password by our SMTP server. After the fix implemented by the system ( They kindly ENABLED CRAM-MD5 as an authentication mechanism help me troubleshoot ) administrators, the log now confirms that the printer is trying to authenticate with the obsolete CRAM-MD5 method and our server successfully decodes the password and accepts the authentication:

Oct 1 09:55:49 mailhost chkpw[42138]: SMTP-587 CRAM-MD5 auth successfull for [customerprinter] (custuser.user). Pre-computed digest matches.
Oct 1 09:55:49 mailhost chkpw[42138]: SMTP-587 Auth success [[Personal Information Removed]] (custuser.user) (504/2786) from 127.0.0.5

So in my case, even though I had the CORRECT credentials, the printer was saying telling me they were INVALID credentials because my mail host was DENYING CRAM-MD5 authentication, which the printer construed as a credential failure.

I find this a little mystifying however because the SMTP Banner claims that CRAM-MD5 is a valid cred mech, so my host is kinda being wishy washy about this.

220 mailhost.isp.com ESMTP

EHLO HP6BE215

250-mailhost.isp.com

250-STARTTLS

250-PIPELINING

250-8BITMIME

250-AUTH LOGIN PLAIN CRAM-MD5

250 SIZE 0

STARTTLS

220 ready for tls

BUT this still didn't get me past the certificate hurdle unfortunately after my hosting provider enabled CRAM-MD5 on the account.

I'm not sure how difficult these are getting working with Microsoft 365, if you can configure a dedicated mail account I wouldn't think you'd bump into much of an issue, you'd also be able to scrutinize the conversation between the printer and Exchange's SMTP connector to see what exactly the printer is trying to do in this case, definitely a plus!

What would be NEAT is if the end user had finer grained control of the SMTP client on these printers under like an ADVANCED tab so we could get around some of the non standard Google/Yahoo settings. At one point HP Support told me via chat that these printers won't work with RFC Compliant SMTP servers using traditional authentication, and that it would only work with services which allowed you to create "App Passwords", I'm guessing he's referring to Google and Yahoo's SMTP service where if you want to relay traffic through their SMTP server you must create a specific password for your account to authenticate!

I've asked for an update on my case, and if I hear anything I'll post back here, good luck!

Scan to E-Mail newer MFP Pro printers SMTP/Certificate validation issues

Create an account on the HP Community to personalize your profile and ask a question